[cups.general] Q. Proper way to startup cupsd as a non-rootuseras opposed to debian hacks?
Kurt Pfeifle
kpfeifle at danka.de
Tue Jun 6 10:07:48 PDT 2006
Klaus Singvogel <kssingvo at suse.de> wrote (Tuesday 06 June 2006 18:08):
> Michael Sweet wrote:
> [...]
>> *All* of the CUPS-related advisories in the last
>> 4 years have been in the filters or support programs and not in the
>> scheduler, backend, or CUPS API code that runs as root.
>
> *smile* In the last 4 years nothing in the scheduler?! :-)
> Very funny. Harhar. :-)
>
> Here are three issues from 2004 concerning the scheduler:
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2154
* Bug in matching printer name case sensitve or not; not related
on wether scheduler runs as root or as user IMHO.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0923
* That one was for xpdf code; meaning "filter" in CUPS, not scheduler.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0558
* DOS attack; can make CUPS stop listening on :631. Not dependent
on wether scheduler runs as root or as user IMHO.
> I stopped looking through my ChangeLog afterwards, but I'm sure there
> are more.
So indeed, 2 of your examples do proof that the scheduler was/is
vulnerable to bugs.
But to me, they do not proof the point in question: running as user
will increase security.
> Regards,
> Klaus.
Cheers,
Kurt
More information about the cups
mailing list